For IT, security & procurement
First Six is built privacy-first, hosted in Australia, and documented for procurement, so the platform helps your assessment rather than fighting it.
The challenge
Student-facing tools are often a security team's headache: unclear data residency, weak tenant isolation, another set of credentials, and a vendor who cannot answer a HECVAT. The product might be great, but it cannot get past review.
Outcomes
What changes when First Six is running for your team.
A faster, smoother security review
The documentation your assessors ask for is ready on day one, not weeks later.
No new passwords to manage
Single sign-on through your existing identity provider keeps access in your control.
Clear answers on data residency
Australian hosting and a disclosed subprocessor list answer the questions procurement always asks.
A platform that helps your assessment
Privacy-first design means the product supports your review rather than fighting it.
How First Six helps
The same six-week method, pointed at what your team needs.
01
Host where you expect
Application data is stored in Australia (AWS Sydney), with tenant isolation enforced in the database by row-level security.
02
Use your sign-in
Access runs through your identity provider over single sign-on, so there's no new password and offboarding stays in your control.
03
Hand over the documents
Security overview, HECVAT responses, accessibility self-assessment, and the subprocessor list are written and ready to share.
04
Move the review quickly
Because the answers and architecture are documented up front, your assessment proceeds without chasing a vendor for basics.
What you get with First Six
Three things this gives your team from the first week.
Built privacy-first
Data minimisation, Australian residency, and tenant isolation enforced in the database.
Fits your stack
Single sign-on through your identity provider, with audience groups synced from your systems.
Documented for review
Security overview, HECVAT responses, accessibility self-assessment and subprocessor list, ready to share.
Start your security review
Request the full security and compliance pack.
Frequently asked questions
What teams ask us most.
In Australia, in AWS's Sydney region. A small number of disclosed US subprocessors handle diagnostic-only, PII-scrubbed data. The full subprocessor list and regions are published in the Trust Centre.
Yes. We maintain HECVAT responses and a supporting document set, and can complete institution-specific questionnaires as part of procurement.
Every record carries its institution and is filtered by database row-level security, so isolation is enforced by the database itself, not by app code.
Not yet. Both are on the roadmap, and we won't imply otherwise. We operate the controls those frameworks look for and can walk you through them. See the Trust Centre.
See it for your next cohort.
Currently meeting with universities.